Introduction
In this article, we will discuss the process of changing the admin password in OpenSearch. One of the key security features in OpenSearch is the ability to manage user authentication and authorization. By default, OpenSearch comes with an admin user, which has full access to all the cluster operations and resources. It is essential to change the default admin password to ensure the security of your OpenSearch cluster. If you want to learn about OpenSearch security – configuration (certificates), check out this guide.
Prerequisites
Before proceeding with the steps to change the admin password, ensure that you have the following:
- OpenSearch and OpenSearch Dashboards installed and running.
- Access to the OpenSearch configuration files, typically located in the `config` directory of your OpenSearch installation.
- Access to the OpenSearch Dashboards configuration files, usually located in the `config` directory of your OpenSearch Dashboards installation.
Step 1: Generate a New Hashed Password
To change the admin password, you first need to generate a new hashed password. OpenSearch uses the bcrypt hashing algorithm for storing passwords. You can use the OpenSearch security plugin’s `hash.sh` script to generate a new hashed password. The script is located in the `plugins/opensearch-security/tools` directory of your OpenSearch installation.
Run the following command to generate a new hashed password:
bash ./hash.sh -p <new_password>
Replace `<new_password>` with your desired new password. The script will output a hashed password, which you will use in the next step.
Step 2: Update the Internal Users Database
The internal users database is stored in the `internal_users.yml` file, located in the `config` directory of your OpenSearch installation. Open the file in a text editor and locate the `admin` user entry. Replace the existing hashed password with the new hashed password generated in the previous step.
yaml
admin:
hash: <new_hashed_password>
reserved: true
hidden: false
opendistro_security_roles:
admin
attributes:
attribute1: value1
attribute2: value2
static: trueReplace `<new_hashed_password>` with the hashed password generated in Step 1. Save the changes and close the file.
Step 3: Restart OpenSearch
To apply the changes, you need to restart the OpenSearch service. The process of restarting OpenSearch depends on your installation method and operating system. Here are some common ways to restart OpenSearch:
1. For a tarball installation on Linux or macOS:
bash cd <path_to_opensearch_installation> ./opensearch-tar-install.sh stop ./opensearch-tar-install.sh start
2. For a DEB or RPM installation on Linux:
bash sudo systemctl restart opensearch.service
3. For a Windows installation:
powershell Restart-Service -Name opensearch
Step 4: Update OpenSearch Dashboards Configuration
To ensure that OpenSearch Dashboards can connect to the OpenSearch cluster using the new admin password, you need to update the `opensearch_dashboards.yml` configuration file. This file is located in the `config` directory of your OpenSearch Dashboards installation.
Open the file in a text editor and locate the following line:
yaml opensearch_security.auth.type: "basic"
Below this line, add the following lines:
yaml opensearch_security.auth.basic.username: "admin" opensearch_security.auth.basic.password: "<new_password>"
Replace `<new_password>` with the new password you chose in Step 1. Save the changes and close the file.
Step 5: Restart OpenSearch Dashboards
Finally, restart the OpenSearch Dashboards service to apply the changes. The process of restarting OpenSearch Dashboards depends on your installation method and operating system. Here are some common ways to restart OpenSearch Dashboards:
1. For a tarball installation on Linux or macOS:
bash cd <path_to_opensearch_dashboards_installation> ./opensearch-dashboards-tar-install.sh stop ./opensearch-dashboards-tar-install.sh start
2. For a DEB or RPM installation on Linux:
bash sudo systemctl restart opensearch-dashboards.service
3. For a Windows installation:
powershell Restart-Service -Name opensearch-dashboards
Conclusion
After completing these steps, you have successfully changed the admin password in OpenSearch. You can now use the new password to authenticate as the admin user when accessing the OpenSearch cluster and OpenSearch Dashboards.
